MOTION ON “STUDYING THE ENACTMENT OF A CYBER SECURITY LAW AND BUILDING A COMPREHENSIVE SYSTEM AGAINST CYBER FRAUD”
Deputy President, I would like to thank Mr Duncan CHIU for proposing this motion. As we have pointed out in our earlier discussion on the motion on the excessive use of Internet by children and adolescents in this Council, the online world has already become a part of our daily life. Similar to the physical world, we would also face many risks in the online world, with thieves and hackers racking their brains to steal properties or conduct fraudulent activities.
Recently, there have been a number of large-scale cyber attacks around the world targeting various trades ranging from large retailers in the United Kingdom to French luxury brands, and the situation is worrying. Personally, I strongly support the adoption of an integrated approach to enhance cybersecurity by building a strong line of defence and interception at source, etc. With respect to the content of this motion, I would like to express my views on two aspects in particular, namely studying the enactment of legislation and proactively promoting tripartite collaboration among the Government, the business sector and the community.
The virtual nature of cyberspace has determined that the methods and tools required for safeguarding cybersecurity are different from those for the physical world. In order to keep our home safe, we would install anti-theft security systems with thick and sturdy doors and robust locks. We can also purchase safe boxes for protecting the property security. But for the online world, we need to engage experts to design anti-virus software and use sophisticated encryption technologies to protect our data. In the physical society, laws on protecting properties have a long history, but in the online world, although the Police emphasize that it is not a lawless space, it is really necessary to further strengthen the legal protection in the face of the growing prevalence of cybercrimes.
The Mainland’s Cybersecurity Law, covering network operators, individual users and regulatory authorities, officially came into effect in 2017. The targets protected range from data to critical infrastructure, whereas legal responsibilities and penalties have also been specified. A complete legal framework has then been formed together with the Data Security Law and the Personal Information Protection Law which are introduced subsequently.
At present, Hong Kong does not have any dedicated legislation for cybersecurity, but the effect of the legislation on protection of critical infrastructure passed this year is similar to the Mainland’s Cybersecurity Law in some respects. As to whether it is necessary to further consolidate other existing criminal laws, etc. or even expand the scope of protection, I personally hold a supportive attitude.
Regarding the collaboration among the Government, the business sector and the community in combating cyber frauds, in the case of the financial sector, the Hong Kong Monetary Authority as an official entity has implemented the “Cybersecurity Fortification Initiative” (“CFI”) for the local banking system in as early as 2016, and launched an updated version in 2020. CFI is underpinned by three pillars, namely the Cyber Resilience Assessment Framework, the Professional Development Programme, and the Cyber Intelligence Sharing Platform. Since its implementation, the sector has responded very positively and considered that CFI can help to identify cybersecurity gaps, which is very useful for cybersecurity fortification. I hope the authorities can update the content of CFI regularly in the light of the latest technological development. With the understanding that the Intelligence-led Cyber Attack Simulation Testing is most effective in guarding against hacker attacks, and that large-scale banks have relatively sufficient resources at present while the resources of small and medium-sized banks are rather limited, the authorities should provide unified guidance and relevant testing tools to assist all parties in addressing the cybersecurity challenges together.
For the banks themselves, data leakage not only implies huge financial losses, but also shakes the cornerstone of trust, so they are often willing to invest in cutting-edge technologies for developing a multi-dimensional defence system and building strong physical and technical barriers, with customer data being placed in the core position in particular. Besides, they often engage external experts to conduct risk assessment of data processing and cybersecurity as well. Yet, I believe that banks still should not lower their guard, but continue to strengthen their engagement of cyber experts and provide information security training to all staff members on a regular basis.
Lastly, collaborating with customers (i.e. member of the public) to jointly build a security ecosystem is of the utmost importance. The Government should continue to carry out publicity work against cyber frauds in various forms, including short videos, dramas, school talks, etc. Financial institutions should educate their customers about cybersecurity knowledge through their websites and mobile applications: how to set strong passwords and change passwords regularly, identify fraudulent calls and SMS messages, and check account activities regularly, etc., so as to enhance the public’s autonomous control capabilities in respect of cybersecurity.
Deputy President, cybersecurity is a never-ending battle between attack and defence. It is only when the rigid constraints of the law, the coordination and guidance of the Government, the technological commitment of enterprises and the self-defence of the public are added that a solid shield of protection can truly be formed. I support the motion and the amendments. I so submit.